It seems that rlm_sql_process_groups in rlm_sql.c does not handle this situation
1. If paircompare fails in rlm_sql_process_groups it should not return found=1 2. rlm_sql_authorize should handle return code of rlm_sql_process_groups so that if it is not found it should actually return not found and not "OK" diff ./src/modules/rlm_sql/rlm_sql.c.ORIG ./src/modules/rlm_sql/rlm_sql.c 676a677,682 > else > { > found = 0; > DEBUG2("rlm_sql (%s): User not found in > group %s", > inst->config->xlat_name, > group_list_tmp->groupname); > } 1004a1011,1015 > else > { > /* rows == 0 here */ > found = 0; > } 1048a1060,1064 > else > { > /* rows == 0 here */ > found = 0; > Comments? -- View this message in context: http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p18617625.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html